Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Federal Agencies Told to Support TLS 1.2 by 2015

NIST has released SP 800-52 Revision 1, which provides guidance to federal agencies on the use of Transport Layer Security. The standard recommends that all agencies support TLS 1.2 by Jan. 1, 2015.

U.S. federal government agencies are being told they should move to TLS 1.2 by the beginning of 2015.

The National Institute for Standards and Technology, NIST, recently released NIST Special Publication 800-52 Revision 1, which includes the final public comments made since SP 800-52 was withdrawn last March and a new draft was submitted late last year. NIST SP 800-52 is nine years old and had not sufficiently been updated since to comprehensively address known vulnerabilities in the standard and in implementations. Revision 1 acts as an update to the NIST standard, which is used by agencies in the selection, configuration and use of TLS.

TLS secures sensitive data in transport by encrypting the network tunnels along which information moves. TLS 1.2 has updated a number of risky security vulnerabilities in how TLS is implemented, the NIST document said.

NIST said it hopes adoption of the guidelines will promote the use of updated, NIST-approved ciphersuites and algorithms, improve the consistency of authentication mechanisms protecting data transport, in addition to defending against known attacks targeting TLS.

NIST also hopes that consistent government adoption of these recommendations will trickle down and serve as an example for the private sector.

“While these guidelines are primarily designed for Federal users and system administrators to adequately protect sensitive but unclassified U.S. Federal Government data against serious threats on the Internet, they may also be used within closed network environments to segregate data,” the report said.

It seems that attacks and vulnerabilities in long-trusted encryption protocols have been elevated to the summit of security concerns. Not only have multitude of allegations made in the leaked Snowden documents cast doubts on the integrity of encryption capabilities, but massive Internet-wide bugs such as Heartbleed, GnuTLS and the Apple GoToFail bug have further shaken trust in the security of Internet.

The NIST document, published last week, gives agencies guidance in purchasing and implementing TLS under the coverage of FIPS- and NIST-approved crypto algorithms. TLS 1.1 configured with a FIPS-based ciphersuite is the minimum secure transport protocol allowed, the document says.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.